Difference between revisions of "IG/W3C security roadmap"

From Web Security
< IG
Jump to: navigation, search
(Security Enablers)
(Security Enablers)
Line 4: Line 4:
 
The platforms hosting the open web platform is offering some security features that are not made available yet to the web developers or to the user. It may be worth bringing to the open web platform the following features :  
 
The platforms hosting the open web platform is offering some security features that are not made available yet to the web developers or to the user. It may be worth bringing to the open web platform the following features :  
  
- Using DANE (DNS-Based Authentication of Named Entities)
+
- Protocol
  
Read [http://www.internetsociety.org/articles/dane-taking-tls-authentication-next-level-using-dnssec article]
+
Usage of DANE (DNS-Based Authentication of Named Entities) implies more security in the communication. Read [http://www.internetsociety.org/articles/dane-taking-tls-authentication-next-level-using-dnssec article]
  
 
- Enabling usage of trusted elements  
 
- Enabling usage of trusted elements  

Revision as of 11:26, 17 January 2014

In 2013 several discussions related to security happened in W3C area. Here are the major features that were mentioned by different contributors, that the Web Security IG recommends to develop.

Security Enablers

The platforms hosting the open web platform is offering some security features that are not made available yet to the web developers or to the user. It may be worth bringing to the open web platform the following features :

- Protocol

Usage of DANE (DNS-Based Authentication of Named Entities) implies more security in the communication. Read article

- Enabling usage of trusted elements

Platform may embed some trusted elements offering functionality such as trusted storage, trusted execution... Those trusted elements can have different form such as embedded chip (TPM, embedded Secure Element), pluggable chip (SIM card, Smart Card, µSD), integrated Trusted Execution Environment.

Securing ressources

Secure iFrame: add some protection layers from compromised client environment. keep the javascript integrity, handle signed/encrypted javascript. Secure Delete: as the privacy browsing mode, allow secure delete after DOM operations finished. clean-up memory even at persistent virtual memory like windows pagefile.sys


Security Indicators

The user is sometimes gets lots when trying to audit and understand the security of the communication a web app is having. User interface and information made available to him varies largely from one browser to another. On the other hands, some sensitive services are now deployed over the web (communication via Web RTC, payment ...), for which more control is required. One possible feature to develop could be the standardization of the user interface in order to view or control the security level of the communication a web app is using, including certificate management.